Complete bug reports for all bugs can be obtained by visiting the
following URL: http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXX
where you replace the XXXXX at the end of the URL with a bug number as
listed below. You may also enter the bug numbers in the "enter a bug#" box
on the main page at http://bugzilla.mozilla.org/ or in the footer of any
other page on bugzilla.mozilla.org.

A complete list of issues solved in 2.14.2 follows:

- queryhelp.cgi no longer shows confidential products to
people it shouldn't.
(bug 126801)

- It was possible for a user to bypass the IP check by
setting up a fake reverse DNS, if the Bugzilla web server
was configured to do reverse DNS lookups. Apache is not
configured as such by default. This is not a complete
exploit, as the user's login cookie would also need to
be divulged for this to be a problem.
(bug 129466)

- In some situations the data directory became world writeable.
(bug 134575)

- Any user with access to editusers.cgi could delete a user
regardless of whether 'allowuserdeletion' is on.
(bug 141557)

- Mass change would set the groupset of every bug to be the
groupset of the first bug.
(bug 107718)

- Some browsers (eg NetPositive) interacted with Bugzilla
badly and could have various form problems, including
removing group restrictions on bugs.
(bug 148674)

- It was possible for random confidential information to be
divulged, if the shadow database was in use and became
corrupted.
(bug 92263)

- The bug list sort order is now stricter about the SQL it will accept,
ensuring you use correct column name syntax. Before this, there were
some syntax checks, so it is not known whether this problem was
exploitable.
(bug 130821)

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list (see http://www.mozilla.org/community.html for directions how to
access these forums).